QUESTION 92The Cisco ASA software image has been erased from flash memory. Which two statements about the process to recover the Cisco ASA software image are true? (Choose two.)

A. Access to the ROM monitor mode is required.B. The Cisco ASA appliance must have connectivity to the TFTP server where the Cisco ASA image is stored through the Management 0/0 interface.C. The copy tftp flash command is necessary to start the TFTP file transfer.D. The server command is necessary to set the TFTP server IP address.E. Cisco ASA password recovery must be enabledAnswer: AD

QUESTION 93Which two Cisco ASA licensing features are correct with Cisco ASA Software Version 8.3 and later? (Choose two.)

A. Identical licenses are not required on the primary and secondary Cisco ASA appliance.B. Cisco ASA appliances configured as failover pairs disregard the time-based activation keys.C. Time-based licenses are stackable in duration but not in capacity.D. A time-based license completely overrides the permanent license, ignoring all permanently licensed features until the time-based license is uninstalled.

Answer: AC

QUESTION 94Which three actions can be applied to a traffic class within a type inspect policy map? (Choose three.)

A. dropB. priorityC. logD. passE. inspectF. reset

Answer: ACF

QUESTION 95Which Cisco ASA platform should be selected if the requirements are to support 35,000 connections per second, 600,000 maximum connections, and traffic shaping?

A. 5540B. 5550C. 5580-20D. 5580-40

Answer: B

QUESTION 96Authorization of a clientless SSL VPN defines the actions that a user may perform within a clientless SSL VPN session. Which statement is correct concerning the SSL VPN authorization process?

A. Remote clients can be authorized by applying a dynamic access policy, which is configured on an external AAA server.B. Remote clients can be authorized externally by applying group parameters from an external database.C. Remote client authorization is supported by RADIUS and TACACS+ protocols.D. To configure external authorization, you must configure the Cisco ASA for cut-through proxy.

Answer: B

QUESTION 97Which Cisco ASA SSL VPN feature provides support for PCI compliance by allowing for the validation of two sets of username and password credentials on the SSL VPN login page?

QUESTION 83Which of these is true regarding tunnel configuration when deploying a Cisco ISR as a DMVPN hub router?

A. Only one tunnel can be created per tunnel source interface.B. Only one tunnel can be created and should be associated with a loopback interface for dynamic redundancyC. The GRE tunnel key is used to encrypt the traffic going through the tunnel through the hub.D. You can run multiple parallel DMVPNs on the hub router, but each tunnel requires a unique tunnel key.

Answer: D

QUESTION 84When you are configuring a hub-and-spoke DMVPN network, which tunnel mode should you use for the spoke router configuration?

QUESTION 86Which two statements about the running configuration of the Cisco ASA are true? (Choose Two)

A. The auto NAT configuration causes all traffic arriving on the inside interface destined to any outside destinations to be translated with dynamic port address transmission using the outside interface IP address.B. The Cisco ASA is using the Cisco ASDM image from disk1:/asdm-642.binC. The Cisco ASA is setup as the DHCP server for hosts that are on the inside and outside interfaces.D. SSH and Cisco ASDM access to the Cisco ASA requires AAA authentication using the LOCAL user database.E. The Cisco ASA is using a persistent self-signed certified so users can authenticate the Cisco ASA when accessing it via ASDM

Answer: AE

QUESTION 87Which option lists the main tasks in the correct order to configure a new Layer 3 and 4 inspection policy on the Cisco ASA appliance using the Cisco ASDM Configuration > Firewall > Service Policy Rules pane?

A. 1. Create a class map to identify which traffic to match.2. Create a policy map and apply action(s) to the traffic class(es).3. Apply the policy map to an interface or globally using a service policy.B. 1. Create a service policy rule.2. Identify which traffic to match.3. Apply action(s) to the traffic.C. 1. Create a Layer 3 and 4 type inspect policy map.2. Create class map(s) within the policy map to identify which traffic to match.3. Apply the policy map to an interface or globally using a service policy.D. 1. Identify which traffic to match.2. Apply action(s) to the traffic.3. Create a policy map.4. Apply the policy map to an interface or globally using a service policy.

A. Each fragment passes through the Cisco ASA appliance without any inspections.B. Each fragment is blocked by the Cisco ASA appliance.C. The Cisco ASA appliance verifies each fragment and performs virtual IP re-assembly before the full IP packet is forwarded out.D. The Cisco ASA appliance forwards the packet out as soon as all of the fragments of the packet have been received.

Answer: C

QUESTION 89Which other match command is used with the match flow ip destination-address command within the class map configurations of the Cisco ASA MPF?

QUESTION 75Refer to the exhibit. Based on the partial configuration shown, which the GET VPN group member GDOI configuration?

A. key server IP addressB. local priorityC. mapping of the IPsec profile to the IPsec SAD. mapping of the IPsec transform set to the GDOI group

Answer: A

QUESTION 76An internet-based VPN solution is being considered to replace anexisting private WAN connectingremote offices. A multimedia application is used that relies on multicast for communication. Which two VPN solutions meet the application’s network requirement? (Choose two.)

QUESTION 78An IOS SSL VPN is configured to forward TCP ports. A remote user cannot access the corporate FTP site with a Web browser. What is a possible reason for the failure?

A. The user’s FTP application is not supported.B. The user is connecting to an IOS VPN gateway configured in Thin Client Mode.C. The user is connecting to an IOS VPN gateway configured in Tunnel Mode.D. The user’s operating system is not supported.

Answer: B

QUESTION 79When implementing GET VPN, which of these is a characteristic of GDOI IKE?

A. GDOI IKE sessions are established between all peers in the networkB. GDOI IKE uses UDP port 500C. Security associations do not need to linger between members once a group member has authenticated to the key server and obtained the group policyD. Each pair of peers has a private set of IPsec security associations that is only shared between the two peers

Answer: C

QUESTION 80Which two features are required when configuring a DMVPN network? (Choose two.)